From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1970A13835D for ; Sun, 7 Feb 2021 03:20:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 64CB9E08AD; Sun, 7 Feb 2021 03:20:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 38E96E08AD for ; Sun, 7 Feb 2021 03:20:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 23E75343860 for ; Sun, 7 Feb 2021 03:20:47 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BFDA44C8 for ; Sun, 7 Feb 2021 03:20:44 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612646109.e3b92a0ef1585d742839a59a365a122eb000fb8e.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/dbus.te policy/modules/services/ssh.te policy/modules/system/authlogin.if policy/modules/system/locallogin.te policy/modules/system/systemd.if policy/modules/system/systemd.te X-VCS-Directories: policy/modules/services/ policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: e3b92a0ef1585d742839a59a365a122eb000fb8e X-VCS-Branch: master Date: Sun, 7 Feb 2021 03:20:44 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: c0c7b642-9093-4272-879b-3a6380b7fde1 X-Archives-Hash: 2b693358ca3c70b158675c2ee1d3c38d commit: e3b92a0ef1585d742839a59a365a122eb000fb8e Author: Russell Coker coker com au> AuthorDate: Tue Feb 2 15:07:12 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e machined This patch is for systemd-machined. Some of it will probably need discussion but some is obviously good, so Chris maybe you could take the bits you like for this release? Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/dbus.te | 6 +++++ policy/modules/services/ssh.te | 8 ++---- policy/modules/system/authlogin.if | 1 + policy/modules/system/locallogin.te | 1 + policy/modules/system/systemd.if | 52 +++++++++++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 12 +++++++++ 6 files changed, 74 insertions(+), 6 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 26ffe456..cbbbd45b 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) +# for machinectl shell +term_use_ptmx(system_dbusd_t) + userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) userdom_dontaudit_search_user_home_dirs(system_dbusd_t) # read a file in ~/.local/share @@ -190,6 +193,9 @@ optional_policy(` systemd_read_logind_runtime_files(system_dbusd_t) systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t) systemd_write_inherited_logind_sessions_pipes(system_dbusd_t) + + # for passing around terminal file handles for machinectl shell + systemd_use_machined_devpts(system_dbusd_t) ') optional_policy(` diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 63a0d824..c5749682 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -267,9 +267,10 @@ ifdef(`distro_debian',` ') ifdef(`init_systemd',` + auth_use_pam_systemd(sshd_t) init_dbus_chat(sshd_t) - systemd_dbus_chat_logind(sshd_t) init_rw_stream_sockets(sshd_t) + systemd_write_inherited_logind_sessions_pipes(sshd_t) ') tunable_policy(`ssh_sysadm_login',` @@ -311,11 +312,6 @@ optional_policy(` rssh_read_ro_content(sshd_t) ') -optional_policy(` - systemd_write_inherited_logind_sessions_pipes(sshd_t) - systemd_dbus_chat_logind(sshd_t) -') - optional_policy(` xserver_domtrans_xauth(sshd_t) xserver_link_xdm_keys(sshd_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 08361bb5..753a7735 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -98,6 +98,7 @@ interface(`auth_use_pam',` # interface(`auth_use_pam_systemd',` dbus_system_bus_client($1) + systemd_connect_machined($1) systemd_dbus_chat_logind($1) ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 0f710243..ed004fb8 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -141,6 +141,7 @@ ifdef(`init_systemd',` auth_manage_faillog(local_login_t) init_dbus_chat(local_login_t) + systemd_connect_machined(local_login_t) systemd_dbus_chat_logind(local_login_t) systemd_use_logind_fds(local_login_t) systemd_manage_logind_runtime_pipes(local_login_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 29a561c7..642d58e2 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -19,12 +19,18 @@ ## The user domain for the role. ## ## +## +## +## The type for the user pty +## +## # template(`systemd_role_template',` gen_require(` attribute systemd_user_session_type, systemd_log_parse_env_type; type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_run_exec_t, systemd_analyze_exec_t; + type systemd_machined_t; ') ################################# @@ -56,9 +62,13 @@ template(`systemd_role_template',` allow $1_systemd_t $3:process { setsched rlimitinh }; corecmd_shell_domtrans($1_systemd_t, $3) corecmd_bin_domtrans($1_systemd_t, $3) + allow $1_systemd_t self:process signal; + + files_search_home($1_systemd_t) # Allow using file descriptors for user environment generators allow $3 $1_systemd_t:fd use; + allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms; # systemctl --user stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t) @@ -66,6 +76,10 @@ template(`systemd_role_template',` can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t }) dbus_system_bus_client($1_systemd_t) + + selinux_use_status_page($1_systemd_t) + seutil_read_file_contexts($1_systemd_t) + seutil_search_default_contexts($1_systemd_t) ') ###################################### @@ -487,6 +501,24 @@ interface(`systemd_read_machines',` allow $1 systemd_machined_runtime_t:file read_file_perms; ') +######################################## +## +## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket +## +## +## +## Domain that can access the socket +## +## +# +interface(`systemd_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + allow $1 systemd_machined_t:unix_stream_socket connectto; +') + ######################################## ## ## Send and receive messages from @@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', ` systemd_domtrans_sysusers($1) roleattribute $2 systemd_sysusers_roles; ') + +######################################## +## +## receive and use a systemd_machined_devpts_t file handle +## +## +## +## Domain allowed access. +## +## +## +# +interface(`systemd_use_machined_devpts', ` + gen_require(` + type systemd_machined_t, systemd_machined_devpts_t; + ') + + allow $1 systemd_machined_t:fd use; + allow $1 systemd_machined_devpts_t:chr_file { read write }; +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 9e68824e..39c37ac1 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t; files_runtime_file(systemd_machined_runtime_t) init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines") +type systemd_machined_devpts_t; +term_login_pty(systemd_machined_devpts_t) + type systemd_modules_load_t; type systemd_modules_load_exec_t; init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) @@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms; allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms; init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) +# for /run/systemd/userdb/io.systemd.Machine +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; + manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t) allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms; @@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per kernel_read_kernel_sysctls(systemd_machined_t) kernel_read_system_state(systemd_machined_t) +dev_getattr_fs(systemd_machined_t) + files_read_etc_files(systemd_machined_t) fs_getattr_cgroup(systemd_machined_t) @@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t) seutil_search_default_contexts(systemd_machined_t) +term_create_pty(systemd_machined_t, systemd_machined_devpts_t) +allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms; +term_getattr_pty_fs(systemd_machined_t) + optional_policy(` init_dbus_chat(systemd_machined_t) init_dbus_send_script(systemd_machined_t)